Add support for OpenSSH 6.2.

Run sss_ssh_authorizedkeyscommand as nobody. Automatically update sshd_config
on openssh-server update.

https://fedorahosted.org/freeipa/ticket/3571
This commit is contained in:
Jan Cholasta 2013-04-18 18:06:54 +02:00 committed by Rob Crittenden
parent 5d6a9d3bef
commit ddd8988f1c
2 changed files with 81 additions and 21 deletions

View File

@ -570,6 +570,42 @@ if [ $1 -gt 1 ] ; then
fi fi
fi fi
%triggerin -n freeipa-client -- openssh-server
# Has the client been configured?
restore=0
test -f '/var/lib/ipa-client/sysrestore/sysrestore.index' && restore=$(wc -l '/var/lib/ipa-client/sysrestore/sysrestore.index' | awk '{print $1}')
if [ -f '/etc/ssh/sshd_config' -a $restore -ge 2 ]; then
if egrep -q '^(AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys|PubKeyAgent /usr/bin/sss_ssh_authorizedkeys %u)$' /etc/ssh/sshd_config 2>/dev/null; then
sed -r '
/^(AuthorizedKeysCommand(User|RunAs)|PubKeyAgentRunAs)[ \t]/ d
' /etc/ssh/sshd_config >/etc/ssh/sshd_config.ipanew
if /usr/sbin/sshd -t -f /dev/null -o 'AuthorizedKeysCommand=/usr/bin/sss_ssh_authorizedkeys' -o 'AuthorizedKeysCommandUser=nobody'; then
sed -ri '
s/^PubKeyAgent (.+) %u$/AuthorizedKeysCommand \1/
s/^AuthorizedKeysCommand .*$/\0\nAuthorizedKeysCommandUser nobody/
' /etc/ssh/sshd_config.ipanew
elif /usr/sbin/sshd -t -f /dev/null -o 'AuthorizedKeysCommand=/usr/bin/sss_ssh_authorizedkeys' -o 'AuthorizedKeysCommandRunAs=nobody'; then
sed -ri '
s/^PubKeyAgent (.+) %u$/AuthorizedKeysCommand \1/
s/^AuthorizedKeysCommand .*$/\0\nAuthorizedKeysCommandRunAs nobody/
' /etc/ssh/sshd_config.ipanew
elif /usr/sbin/sshd -t -f /dev/null -o 'PubKeyAgent=/usr/bin/sss_ssh_authorizedkeys %u' -o 'PubKeyAgentRunAs=nobody'; then
sed -ri '
s/^AuthorizedKeysCommand (.+)$/PubKeyAgent \1 %u/
s/^PubKeyAgent .*$/\0\nPubKeyAgentRunAs nobody/
' /etc/ssh/sshd_config.ipanew
fi
mv /etc/ssh/sshd_config.ipanew /etc/ssh/sshd_config
/sbin/restorecon /etc/ssh/sshd_config
chmod 600 /etc/ssh/sshd_config
/bin/systemctl condrestart sshd.service 2>&1 || :
fi
fi
%if ! %{ONLY_CLIENT} %if ! %{ONLY_CLIENT}
%files server -f server-python.list %files server -f server-python.list
%defattr(-,root,root,-) %defattr(-,root,root,-)
@ -799,6 +835,9 @@ fi
%ghost %attr(0644,root,apache) %config(noreplace) %{_sysconfdir}/ipa/ca.crt %ghost %attr(0644,root,apache) %config(noreplace) %{_sysconfdir}/ipa/ca.crt
%changelog %changelog
* Tue Apr 30 2013 Jan Cholasta <jcholast@redhat.com> - 3.1.99-8
- Add triggerin scriptlet to update sshd_config on openssh-server update
* Thu Apr 25 2013 Rob Crittenden <rcritten@redhat.com> - 3.1.99-7 * Thu Apr 25 2013 Rob Crittenden <rcritten@redhat.com> - 3.1.99-7
- Update nss and nss-tools dependency to fix certutil problem (#872761) - Update nss and nss-tools dependency to fix certutil problem (#872761)

View File

@ -64,6 +64,10 @@ CLIENT_NOT_CONFIGURED = 2
CLIENT_ALREADY_CONFIGURED = 3 CLIENT_ALREADY_CONFIGURED = 3
CLIENT_UNINSTALL_ERROR = 4 # error after restoring files/state CLIENT_UNINSTALL_ERROR = 4 # error after restoring files/state
SSH_AUTHORIZEDKEYSCOMMAND = '/usr/bin/sss_ssh_authorizedkeys'
SSH_PROXYCOMMAND = '/usr/bin/sss_ssh_knownhostsproxy'
SSH_KNOWNHOSTSFILE = '/var/lib/sss/pubconf/known_hosts'
client_nss_nickname_format = 'IPA Machine Certificate - %s' client_nss_nickname_format = 'IPA Machine Certificate - %s'
def parse_options(): def parse_options():
@ -1212,9 +1216,9 @@ def configure_ssh_config(fstore, options):
if options.trust_sshfp: if options.trust_sshfp:
changes['VerifyHostKeyDNS'] = 'yes' changes['VerifyHostKeyDNS'] = 'yes'
changes['HostKeyAlgorithms'] = 'ssh-rsa,ssh-dss' changes['HostKeyAlgorithms'] = 'ssh-rsa,ssh-dss'
elif options.sssd and file_exists('/usr/bin/sss_ssh_knownhostsproxy'): elif options.sssd and file_exists(SSH_PROXYCOMMAND):
changes['ProxyCommand'] = '/usr/bin/sss_ssh_knownhostsproxy -p %p %h' changes['ProxyCommand'] = '%s -p %%p %%h' % SSH_PROXYCOMMAND
changes['GlobalKnownHostsFile'] = '/var/lib/sss/pubconf/known_hosts' changes['GlobalKnownHostsFile'] = SSH_KNOWNHOSTSFILE
change_ssh_config(ssh_config, changes, ['Host']) change_ssh_config(ssh_config, changes, ['Host'])
root_logger.info('Configured %s', ssh_config) root_logger.info('Configured %s', ssh_config)
@ -1237,25 +1241,42 @@ def configure_sshd_config(fstore, options):
'UsePAM': 'yes', 'UsePAM': 'yes',
} }
if options.sssd and file_exists('/usr/bin/sss_ssh_authorizedkeys'): if options.sssd and file_exists(SSH_AUTHORIZEDKEYSCOMMAND):
authorized_keys_command = '/usr/bin/sss_ssh_authorizedkeys' authorized_keys_changes = None
(stdout, stderr, retcode) = ipautil.run(['sshd', '-t', '-f', '/dev/null',
'-o', 'AuthorizedKeysCommand=%s' % authorized_keys_command], raiseonerr=False) candidates = (
if retcode == 0: {
changes['AuthorizedKeysCommand'] = authorized_keys_command 'AuthorizedKeysCommand': SSH_AUTHORIZEDKEYSCOMMAND,
changes['AuthorizedKeysCommandRunAs'] = None 'AuthorizedKeysCommandUser': 'nobody',
else: },
authorized_keys_command = '/usr/bin/sss_ssh_authorizedkeys %u' {
(stdout, stderr, retcode) = ipautil.run(['sshd', '-t', '-f', '/dev/null', 'AuthorizedKeysCommand': SSH_AUTHORIZEDKEYSCOMMAND,
'-o', 'PubKeyAgent=%s' % authorized_keys_command], raiseonerr=False) 'AuthorizedKeysCommandRunAs': 'nobody',
},
{
'PubKeyAgent': '%s %%u' % SSH_AUTHORIZEDKEYSCOMMAND,
'PubKeyAgentRunAs': 'nobody',
},
)
for candidate in candidates:
args = ['sshd', '-t', '-f', '/dev/null']
for item in candidate.iteritems():
args.append('-o')
args.append('%s=%s' % item)
(stdout, stderr, retcode) = ipautil.run(args, raiseonerr=False)
if retcode == 0: if retcode == 0:
changes['PubKeyAgent'] = authorized_keys_command authorized_keys_changes = candidate
changes['PubkeyAgentRunAs'] = None break
else:
root_logger.warning("Installed OpenSSH server does not " + if authorized_keys_changes is not None:
"support dynamically loading authorized user keys. " + changes.update(authorized_keys_changes)
"Public key authentication of IPA users will not be " + else:
"available.") root_logger.warning("Installed OpenSSH server does not "
"support dynamically loading authorized user keys. "
"Public key authentication of IPA users will not be "
"available.")
change_ssh_config(sshd_config, changes, ['Match']) change_ssh_config(sshd_config, changes, ['Match'])
root_logger.info('Configured %s', sshd_config) root_logger.info('Configured %s', sshd_config)